.Oc
.Op Ar hostname | user@hostname
.Op Ar command
-.Sh DESCRIPTION
+.Sh DESCRIPTION
.Nm
(Secure Shell) is a program for logging into a remote machine and for
executing commands on a remote machine.
arbitrary TCP/IP ports can also be forwarded over the secure channel.
.Pp
.Nm
-connects and logs into the specified
+connects and logs into the specified
.Ar hostname .
The user must prove
his/her identity to the remote machine using one of several methods.
.Pa /etc/shosts.equiv
on the remote machine, and the user names are
the same on both sides, the user is immediately permitted to log in.
-Second, if
+Second, if
.Pa \&.rhosts
or
.Pa \&.shosts
or
.Pa /etc/shosts.equiv ,
and if additionally the server can verify the client's
-host key (see
+host key (see
.Pa /etc/ssh_known_hosts
and
.Pa $HOME/.ssh/known_hosts
and the rlogin/rsh protocol in general, are inherently insecure and should be
disabled if security is desired.]
.Pp
-As a third authentication method,
+As a third authentication method,
.Nm
supports RSA based authentication.
The scheme is based on public-key cryptography: there are cryptosystems
where encryption and decryption are done using separate keys, and it
is not possible to derive the decryption key from the encryption key.
RSA is one such system.
-The idea is that each user creates a public/private
+The idea is that each user creates a public/private
key pair for authentication purposes.
The server knows the public key, and only the user knows the private key.
-The file
+The file
.Pa $HOME/.ssh/authorized_keys
lists the public keys that are permitted for logging
in.
implements the RSA authentication protocol automatically.
The user creates his/her RSA key pair by running
.Xr ssh-keygen 1 .
-This stores the private key in
+This stores the private key in
.Pa \&.ssh/identity
and the public key in
.Pa \&.ssh/identity.pub
in the user's home directory.
The user should then copy the
.Pa identity.pub
-to
+to
.Pa \&.ssh/authorized_keys
-in his/her home directory on the remote machine (the
+in his/her home directory on the remote machine (the
.Pa authorized_keys
-file corresponds to the conventional
+file corresponds to the conventional
.Pa \&.rhosts
file, and has one key
per line, though the lines can be very long).
.Xr ssh-agent 1
for more information.
.Pp
-If other authentication methods fail,
+If other authentication methods fail,
.Nm
prompts the user for a password.
The password is sent to the remote
with
.Ic ~^Z .
All forwarded connections can be listed with
-.Ic ~#
+.Ic ~#
and if
the session blocks waiting for forwarded X11 or TCP/IP
connections to terminate, it can be backgrounded with
configured on the command line or in configuration files.
.Pp
The
-.Ev DISPLAY
+.Ev DISPLAY
value set by
.Nm
will point to the server machine, but with a display number greater
.Nm
automatically maintains and checks a database containing RSA-based
identifications for all hosts it has ever been used with.
-The database is stored in
+The database is stored in
.Pa \&.ssh/known_hosts
in the user's home directory.
-Additionally, the file
+Additionally, the file
.Pa /etc/ssh_known_hosts
is automatically checked for known hosts.
Any new hosts are automatically added to the user's file.
Disables forwarding of the authentication agent connection.
This may also be specified on a per-host basis in the configuration file.
.It Fl c Ar blowfish|3des
-Selects the cipher to use for encrypting the session.
+Selects the cipher to use for encrypting the session.
.Ar 3des
is used by default.
-It is believed to be secure.
+It is believed to be secure.
.Ar 3des
(triple-des) is an encrypt-decrypt-encrypt triple with three different keys.
It is presumably more secure than the
.Nm
is going to ask for passwords or passphrases, but the user
wants it in the background.
-This implies
+This implies
.Fl n .
The recommended way to start X11 programs at a remote site is with
something like
.It Fl g
Allows remote hosts to connect to local forwarded ports.
.It Fl i Ar identity_file
-Selects the file from which the identity (private key) for
+Selects the file from which the identity (private key) for
RSA authentication is read.
-Default is
+Default is
.Pa \&.ssh/identity
in the user's home directory.
Identity files may also be specified on
are supported.
The default is
.Dq 3des .
+.It Cm Ciphers
+Specifies the ciphers allowed for protocol version 2
+in order of preference.
+Multiple ciphers must be comma-separated.
+The default is
+.Dq blowfish-cbc,3des-cbc,arcfour,cast128-cbc .
.It Cm Compression
Specifies whether to use compression.
The argument must be
to disable the escape
character entirely (making the connection transparent for binary
data).
-.It Cm FallBackToRsh
+.It Cm FallBackToRsh
Specifies that if connecting via
.Nm
fails due to a connection refused error (there is no
.Xr sshd 8
-listening on the remote host),
+listening on the remote host),
.Xr rsh 1
should automatically be used instead (after a suitable warning about
the session being unencrypted).
.Dq no .
.It Cm ForwardX11
Specifies whether X11 connections will be automatically redirected
-over the secure channel and
+over the secure channel and
.Ev DISPLAY
set.
-The argument must be
+The argument must be
.Dq yes
or
.Dq no .
The default is
.Dq no .
.It Cm GlobalKnownHostsFile
-Specifies a file to use instead of
+Specifies a file to use instead of
.Pa /etc/ssh_known_hosts .
.It Cm HostName
Specifies the real host name to log into.
.It Cm Port
Specifies the port number to connect on the remote host.
Default is 22.
+.It Cm Protocol
+Specifies the protocol versions
+.Nm
+should support in order of preference.
+The possible values are
+.Dq 1
+and
+.Dq 2 .
+Multiple versions must be comma-separated.
+The default is
+.Dq 1 .
.It Cm ProxyCommand
Specifies the command to use to connect to the server.
The command
.Dq no .
.It Cm StrictHostKeyChecking
If this flag is set to
-.Dq yes ,
+.Dq yes ,
.Nm
ssh will never automatically add host keys to the
.Pa $HOME/.ssh/known_hosts
The
.Ev DISPLAY
variable indicates the location of the X11 server.
-It is automatically set by
+It is automatically set by
.Nm
to point to a value of the form
.Dq hostname:n
Set to the name of the user logging in.
.El
.Pp
-Additionally,
+Additionally,
.Nm
-reads
-.Pa $HOME/.ssh/environment ,
+reads
+.Pa $HOME/.ssh/environment ,
and adds lines of the format
.Dq VARNAME=value
to the environment.
It is possible to specify a passphrase when
generating the key; the passphrase will be used to encrypt the
sensitive part of this file using 3DES.
-.It Pa $HOME/.ssh/identity.pub
+.It Pa $HOME/.ssh/identity.pub
Contains the public key for authentication (public part of the
identity file in human-readable form).
The contents of this file should be added to
required.
This file should only be writable by root.
.It Pa /etc/shosts.equiv
-This file is processed exactly as
+This file is processed exactly as
.Pa /etc/hosts.equiv .
This file may be useful to permit logins using
.Nm
.Nm
when the user logs in just before the user's shell (or command) is
started.
-See the
+See the
.Xr sshd 8
manual page for more information.
.It Pa $HOME/.ssh/environment
has been updated to support ssh protocol 1.5, making it compatible with
all other ssh protocol 1 clients and servers.
.It
-contains added support for
+contains added support for
.Xr kerberos 8
authentication and ticket passing.
.It
.Op Fl k Ar key_gen_time
.Op Fl p Ar port
.Op Fl V Ar client_protocol_id
-.Sh DESCRIPTION
+.Sh DESCRIPTION
.Nm
-(Secure Shell Daemon) is the daemon program for
+(Secure Shell Daemon) is the daemon program for
.Xr ssh 1 .
Together these programs replace rlogin and rsh programs, and
provide secure encrypted communications between two untrusted hosts
.Pp
.Nm
is the daemon that listens for connections from clients.
-It is normally started at boot from
+It is normally started at boot from
.Pa /etc/rc .
It forks a new
daemon for each incoming connection.
.It Fl i
Specifies that
.Nm
-is being run from inetd.
+is being run from inetd.
.Nm
is normally not run
from inetd because it needs to generate the server key before it can
.El
.Sh CONFIGURATION FILE
.Nm
-reads configuration data from
+reads configuration data from
.Pa /etc/sshd_config
(or the file specified with
.Fl f
Only user names are valid, a numerical user ID isn't recognized.
By default login is allowed regardless of the user name.
.Pp
+.It Cm Ciphers
+Specifies the ciphers allowed for protocol version 2.
+Multiple ciphers must be comma-separated.
+The default is
+.Dq blowfish-cbc,3des-cbc,arcfour,cast128-cbc .
.It Cm CheckMail
Specifies whether
.Nm
.It Cm IgnoreRhosts
Specifies that
.Pa .rhosts
-and
+and
.Pa .shosts
files will not be used in authentication.
.Pa /etc/hosts.equiv
and
-.Pa /etc/shosts.equiv
+.Pa /etc/shosts.equiv
are still used.
-The default is
+The default is
.Dq yes .
.It Cm IgnoreUserKnownHosts
Specifies whether
.Dq yes .
.It Cm KerberosTgtPassing
Specifies whether a Kerberos TGT may be forwarded to the server.
-Default is
+Default is
.Dq no ,
as this only works when the Kerberos KDC is actually an AFS kaserver.
.It Cm KerberosTicketCleanup
.It Cm PrintMotd
Specifies whether
.Nm
-should print
+should print
.Pa /etc/motd
when a user logs in interactively.
(On some systems it is also printed by the shell,
or equivalent.)
The default is
.Dq yes .
+.It Cm Protocol
+Specifies the protocol versions
+.Nm
+should support.
+The possible values are
+.Dq 1
+and
+.Dq 2 .
+Multiple versions must be comma-separated.
+The default is
+.Dq 1 .
.It Cm RandomSeed
Obsolete.
Random number generation uses other techniques.
The minimum value is 512, and the default is 768.
.It Cm SkeyAuthentication
Specifies whether
-.Xr skey 1
+.Xr skey 1
authentication is allowed.
The default is
.Dq yes .
.Bl -enum -offset indent
.It
If the login is on a tty, and no command has been specified,
-prints last login time and
+prints last login time and
.Pa /etc/motd
(unless prevented in the configuration file or by
.Pa $HOME/.hushlogin ;
see the
-.Sx FILES
+.Sx FILES
section).
.It
If the login is on a tty, records login time.
Runs user's shell or command.
.El
.Sh AUTHORIZED_KEYS FILE FORMAT
-The
+The
.Pa $HOME/.ssh/authorized_keys
file lists the RSA keys that are
permitted for RSA authentication.
.Pp
command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi
.Sh SSH_KNOWN_HOSTS FILE FORMAT
-The
+The
.Pa /etc/ssh_known_hosts
-and
+and
.Pa $HOME/.ssh/known_hosts
files contain host public keys for all known hosts.
The global file should
Note that the lines in these files are typically hundreds of characters
long, and you definitely don't want to type in the host keys by hand.
Rather, generate them by a script
-or by taking
+or by taking
.Pa /etc/ssh_host_key.pub
and adding the host names at the front.
.Ss Examples
.Pa $HOME/.ssh/known_hosts
can but need not be world-readable.
.It Pa /etc/nologin
-If this file exists,
+If this file exists,
.Nm
refuses to let anyone except root log in.
The contents of the file
has been updated to support ssh protocol 1.5, making it compatible with
all other ssh protocol 1 clients and servers.
.It
-contains added support for
+contains added support for
.Xr kerberos 8
authentication and ticket passing.
.It